Another sample is related with an online payroll system used by several companies in the US.

As we previously said, the .doc files contain an embedded flash file with no compression or obfuscation. The flash file has an embedded executable file that is the actual payload delivered to the victim. It is worth mentioning that the executable file isn’t obfuscated at all that means most of the security products should be able to detect this threat using generic signatures.

The flash files contain several ActionScript classes that checks for specific Flash and operating system versions and specific code to trigger the exploit.

One of the payloads used is an executable signed with a fake certificate from a South Korean company called MGAME. We have seen this certificate dozens of times in the past as part of targeted attacks including NGO’s to sign several RAT files including PlugX.

The sample connects to ieee[.]boeing-job[.]com (C&C):

We will keep you up to date as we discover new information related with this attack.

About the Author:Jaime BlascoJaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›